What is claimed is: 

1. A method for generating and verifying an ID-based 
blind signature by using bilinear parings, comprising the 
5 steps of: 

generating system parameters, selecting a master key, 
and then disclosing the system parameters by a trust 
authority; 

generating a private key by using a signer's identity 
10 and the master key, and then transferring the private key to 
the signer through a secure channel by the trust authority; 

receiving and storing the system parameters by a user 
and receiving and storing the system parameters and the 
private key by the signer; 
15 computing a commitment by using at least one of the 

system parameters, and then sending the commitment to the 
. user by the signer; 

blinding a message by using the commitment and a 
public key based on the signer's identity, and then sending 
20 the blinded message to the signer by the user; 

signing the blinded message by using the private key, 
and then sending the signed message to the user by the 
signer; 

unblinding the signed message by the user; and 
25 verifying the signature by the user. 
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2. The method of claim 1, wherein the system parameters 
include G, q, P, P pub , H and H lf where G is a cyclic group, q 
is G f s order, P is a generator of G, P pub is the trust 
authority's public key described by P pub = s • P, where s is 

5 the master key, and H and H 2 are hash functions, 
respectively, described by H: {0,1}* Z q and H 2 : {0,1}* -> 
G, where Z q is a cyclic multiplicative group; and 

the bilinear paring e is defined by e: G x G —> V, 
where V is a cyclic multiplicative group of the order q and 
10 uses the cyclic multiplicative group Z q . 

3. The method of claim 2, wherein the public key Qid is 
described by Q ID = H 1 (ID), where ID is the signer's identity, 
and the private key S ID is described by S ID = s • Q ID . 

15 

4. The method of claim 3, wherein the commitment R is 
described by R = r • P, where r is a random number the 
signer chooses. 

20 5. The method of claim 4, wherein the blinded message c 
is described by c = H(m, e (b - Q 1D + R + a • P, P pU b) ) + b (mod 
q) , where m is a message to be sent and a and b are blinding 
factors belonging to Z q * . 

25 6. The method of claim 5, wherein the signed message is 
described by S = c ■ S ID + r • P pU b* 
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7. The method of claim 6, wherein the step of unblinding 

is performed by using formula S' = S + a • P pub and c' = c - 
b. 

5 

8. The method of . claim 7, wherein the step of verifying 
is performed by using following equations: 

H(m, e(S', P) • e(Q ID , P puh )~ c, ) = C. 

10 9. An apparatus for generating and verifying an identity- 
based blind signature by using bilinear parings, comprising: 
means for generating system parameters, selecting a 
master key, and then disclosing the system parameters by a 
trust authority; 

15 means for generating a private key by using a signer's 

identity and the master key, and then transferring the 

private key to the signer through a secure channel by the 

trust authority; 

means for receiving and storing the system parameters 
20 by a user and* receiving and storing the system parameters 

and the private key by the signer; 

means for computing a commitment by using at least one 

of the system parameters, and then sending the commitment to 

the user by the signer; 
25 means for blinding a message by using the commitment 

and a public key based on the signer's identity, and then 
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sending the blinded message to the signer by the user; 

means for signing the blinded message by using the 
private key, and then sending the signed message to the user 
by the signer; 

5 means for unblinding the signed message by the user; 

and 

means for verifying the signature by the user. 

10. The apparatus of claim 9, wherein the system 
10 parameters include G , q, P, P pub , H and H lf where G is a 
cyclic group, g is G ! s order, P is a generator of G, P pub is 
the trust authority's public key described by P pub = s • P, 
where s is the master key, and H and Hx are hash functions, 
respectively, described by H: {0,1}* -> Z g " and H 2 : {0,1}* 
15 G, where Z g * is a cyclic multiplicative group; and 

the bilinear paring e is defined by e; G x G —> V, 
where V is a cyclic multiplicative group of the order q and 
uses the cyclic multiplicative group Z q * . 

20 11. The apparatus of claim 10, wherein the public key Q ID 
is described by Q ID = H 1 (ID) / where ID is the signer's 
identity, and the private key S ID is described by S ID = s • 
Qid. 

25 12. The apparatus of claim 11, wherein the commitment R is 
described by R = r • P, where r is a random number the 
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signer chooses, 

13. The apparatus of claim 12, wherein the blinded message 
c is described by c = H(m, e (b • Q ID + R + a • P, P pub ) ) + 

5 b (mod q) , where m is a message to be sent and a and b are 
blinding factors belonging to Z q * . 

14. The apparatus of claim 13, wherein the signed message 
is described by S = c ■ S ID + r • P pub . 

15. The apparatus of claim 14, wherein the means for 
unblinding unblinds the signed message by using formula S' - 
S + a • P pub and c' = c - b. 

16. The apparatus of claim 15, wherein the means for 
verifying verifies the signature by using following 
equations: 

H(m, e(S' , P) • e(Q ID , P pub )~ cf )= C . 
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